Alpaquita Linux: Verifying signed container images
1. Overview
Container images play a crucial role in containerized application development. They enable applications to be packaged and deployed consistently across multiple environments, eliminating concerns about dependencies or configuration differences.
When an image is shared, it is essentially anonymous, therefore it is difficult to verify the content inside or its source without cryptographic signatures.
By signing container images BellSoft adds a digital “fingerprint” to its images. This helps users of container images verify the origin of images and ensure that the images come from a trusted source.
This document explains how to verify digital signatures of BellSoft hardened container images.
Signing utility and keys
There are various methods for signing container images, such as using private/public key pairs or trusted third-party certificate authorities. BellSoft signs hardened container images, such as hardened-base, hardened-liberica-runtime-container, hardened-liberica-native-image-kit-container, and others with the BellSoft private key. Users can then verify the signature using the public key located at https://download.bell-sw.com/pki/cosign-bellsoft.pub. The signature is verified with the cosign utility. Cosign is an open-source tool developed by Sigstore that provides an easy and secure way to sign, verify, and store container images and other artifacts.
2. Verifying BellSoft container images
This part of the document provides commands and examples to help you verify the signature of the BellSoft hardened container images.
Before you can verify images, install the cosign utility on your system. For the installation instructions, refer to the Sigstore documentation.
Verification commands
You can verify a BellSoft container image against a public key with the cosign verify command. This command will return 0 if at least one Cosign formatted signature for the given artifact is found that matches the public key. Any valid formats are printed to standard output in a JSON format.
The general verification format of the cosign verify command is as follows.
cosign verify [--key <key path>|<key url>|<kms uri>] <image uri>For example, to verify the signature of the hardened-gcc:14.2-glibc image, download and save the BellSoft public key and use the following command:
cosign verify --key ~/keys/cosign-bellsoft.pub bellsoft.azurecr.io/hardened-gcc:14.2-glibcOutput:
Verification for bellsoft.azurecr.io/hardened-gcc:14.2-glibc --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- Existence of the claims in the transparency log was verified offline
- The signatures were verified against the specified public key
[{"critical":{"identity":{"docker-reference":"bellsoft.azurecr.io/hardened-gcc:14.2-glibc"},"image":{"docker-manifest-digest":"sha256:bd1778b0eec2076adbd42303316e6f6838e7d619f1763a43a44f28c4de99a0f2"},"type":"https://sigstore.dev/cosign/sign/v1"},"optional":null}]Basic cosign commands for local verifications
The following commands help you verify the signature against the supplied public key.
|
Note:
|
You can pass more than one image to cosign verify.
|
-
Verifying with an on-disk public key provided by the signer or other organization.
cosign verify --key cosign.pub user/demo -
Verifying with an on-disk signed image from
cosign save.cosign verify --key cosign.pub --local-image PATH/to/user/demo
For more information, refer to the cosign official documentation.